Forgot your password?
typodupeerror
Networking Security Upgrades IT

Cisco Router Hack Inspires New Patching Religion 48

Posted by timothy
from the which-wire-to-cut-first? dept.
ancientribe writes "The dirty little secret about patching routers is that many enterprises don't bother — for fear of the fallout any changes to their Cisco router software could have on the rest of their infrastructure. But the recent discovery of a way to easily hack these devices has put pressure on organizations to change their ways and patch. This article in Dark Reading gives tips on how to patch without taking down the network, including input from Cisco's own director of IT on how Cisco itself handles router patching."
This discussion has been archived. No new comments can be posted.

Cisco Router Hack Inspires New Patching Religion

Comments Filter:
  • Crap (Score:2, Interesting)

    by Anonymous Coward
    Hope my boss doesn't hear of this and ask me how we're doing on patching the routing equipment. It's always a nervous wait as the stuff comes back up, we tend to block things at the perimeter and via ACLs.
  • by Anonymous Coward
    I suppose that's all religions really are, a loose set of beliefs, policies, and procedures that should be followed to make the world a better place.
    • Re: (Score:2, Troll)

      by rthille (8526)

      ^better^worse

      • Re: (Score:1, Insightful)

        by Anonymous Coward
        Cute,
        Shall we apply all of the horrors that Atheists have committed to all Atheists as well?

        No, I didn't think so. Try not to confuse the horrors of what people have done in the name of $foo with $foo itself.

        Normally I would ignore it, but your sig shows that you're not a troll but you actually believe it.
        • Re: (Score:1, Insightful)

          by Anonymous Coward

          In the bible it says: 'Do unto others as you would have done to you'.

          If you judge Christians by how they fare in following this rule, then no true Christian has ever committed an atrocity.

          Oh, there are a lot of people who *say* they are Christians, sure, there are also a lot of people who *claim* to be atheists.

        • Re: (Score:3, Funny)

          by drsmithy (35869)

          Shall we apply all of the horrors that Atheists have committed to all Atheists as well?

          How many of them were done in the name of Atheism ?

          • Re: (Score:3, Insightful)

            by neomunk (913773)

            Lessee... Yeah, I think this is appropriate...

            In Soviet Russia, religion denies YOU!

  • by Glendale2x (210533) <slashdot@NoSpam.ninjamonkey.us> on Thursday March 26, 2009 @03:23PM (#27347427) Homepage

    Fear? What the hell? It's well known that infrastructure collapsing bugs are frequently introduced. Some trains of IOS have a horrible reputation depending on your platform. And playing in T train land? Good luck with that game of Russian roulette.

    • by Em Emalb (452530)

      Parent poster nailed it.

      Even the Russian judge gave him a 9.75.

      If I had points, I'd mod you up. I can't count the number of times we upgraded to a newer rev to fix a bug or security flaw only to find that 3 other things broke during the process.

      Upgrading code on a Cisco device is a crap-shoot sometimes.

      • Re: (Score:3, Insightful)

        by dave562 (969951)
        This has been my experience as well. Cisco hardware seems to be rock solid once you get it configured. However it often times falls into the, "If it ain't broke, don't even think about fucking touching it." mentality.
      • Yes, but I've worked many places where they let the software fall so far behind that the admins have -absolutely- no idea what would happen if they upgraded to a recent bugfix release. It might be scary re-flashing your switches and routers on an incremental basis, but I've been shot down on major important upgrades because we had configs that haven't been altered in five years!

      • Well that's your own fault, for not reading the release notes on the new revision, and checking to see if there are any Open Issues that affect your particular config. If you're really lazy you can open a TAC case and have one of their front line guys do it for you.

        I've been running 12.4T since 12.4.2T2, on over 100 routers, with complex BGP, DMVPN, and QoS configs, with no problem. No problem because I made sure I wasn't going to get hit with a known bug, but yes, I'll agree that there are usually quite

        • by Em Emalb (452530)

          Wow, arrogant much?

          I'm talking about basically having no recourse but upgrade to a different rev to fix an exiting issue that is caused by a software bug that breaks a couple other things. It's a damned if you do, damned if you don't situation.

          A lot of the time you're forced to upgrade because the bug you're dealing with is affecting a mission critical app (VOIP, for example, PSTN calls randomly failing is a good one) and the resolution breaks something else.

          This is my job. I've been doing it for years.

  • TFA:

    Researcher Felix "FX" Lindner's research earlier this year demonstrated that multiple versions of routers can be attacked -- specifically, Cisco's PowerPC routers -- shooting down the assumption that hacking routers requires separate exploits for each type of router.

    Oh, wow, so, it doesn't matter that your infrastructure has a mish-mash of routers because they can easily attack them all in the same way? FFFFFFUUUUUUU---

    The idea that the variability of router platforms would defend you from an attacker is false. All versions have something in common [in this research], and this is not just in theory, but FX demonstrated it and used it to exploit all [PowerPC IOS] versions."

    Er, wait, so, you "demonstrated" by testing it all on one specific line of routers? How is that any kind of proof?

    I smell Cisco astroturfing to make having to patch routers sound like it's important for everyone's routers and not just theirs.

    • by Effugas (2378) *

      What FX has shown is that each hardware line tends to have enough in common that exploits can be built independent of the individual version of software deployed on that piece of hardware. That's a decrease in variability of at least a couple orders of magnitude.

  • What is a patching religion? And why are Cisco people susceptible to such idiocy? Can't they leave such thinking to the Republicans?

    Can anyone help me fan this little fire I've started?
    • by doas777 (1138627)
      well, patching is generally accepted as rule 2 in running a secure system.
      rule 1 is "Test Test Test".
      I often find that people who have big troubles with rule 2, have the same troubles with rule 1.
  • SLA? (Score:5, Insightful)

    by doas777 (1138627) on Thursday March 26, 2009 @04:01PM (#27348191)
    if they want me to patch my router, then they should give me the patch for free, don't you think?
    • Re:SLA? (Score:4, Informative)

      by mikkelm (1000451) on Thursday March 26, 2009 @04:58PM (#27349149)

      They do. You'll able to use every minor release in your release train free of charge, and they'll be developed for your platform until the product reaches end of life. You don't pay for patches.

    • Re:SLA? - They do. (Score:2, Informative)

      by Anonymous Coward

      If there is a security vulnerability in your IOS, call Cisco, say you have no support contract and they will give you the latest patch at your release level for nothing (or an upgraded release if there is no patch at your level).

    • by gth-au (1300077)

      You're right, downloading patches from Cisco is such a pain with their registration requirements. Better to Google the filename and grab the IOS (the version you think you need) from whatever 3rd party has stuck it on their ad-supported page, right? After all, nobody would put malware in a router update, surely...

  • by Anonymous Coward

    The dirty little secret about patching routers is that you can't just download the damned things. Why do I need to be certified and SLA'ed 3 ways round, or go to some third party, just to get it ?

    up yours Cisco !

    • Re: (Score:3, Informative)

      by amorsen (7485)

      If you manage to get hold of the actual Cisco vulnerability statement, it contains information about how to request a patched version even if you don't have a service contract.

  • test it in the lab eh? Yeah right.... Gone are the days when even largish companies have a lab that even looks vaguely like what they actually have running or the staff to run and maintain one. At best its some creaking old collection of cast off routers & switches

10.0 times 0.1 is hardly ever 1.0.

Working...